[Idr] SECURE-EVPN's IPsec SA Inheritance can be improved by the mechanism described by draft-dunbar-idr-sdwan-edge-discovery. Would you consider?

Linda Dunbar <linda.dunbar@futurewei.com> Mon, 10 August 2020 22:36 UTC

Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 944F33A0DC0; Mon, 10 Aug 2020 15:36:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.089
X-Spam-Level:
X-Spam-Status: No, score=-2.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jFU7XVmkD8Xz; Mon, 10 Aug 2020 15:36:32 -0700 (PDT)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2109.outbound.protection.outlook.com [40.107.236.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55D7D3A0DCB; Mon, 10 Aug 2020 15:36:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=brcXbCR991merCBF3/78bzM88xMtghQ1AYi3V9a+fDG909JkXm9VEia04vQ1BM4FFuhkk0eVP/uevskcwFdZCzK0RC0ApWWNp5qJg+g1192rAbsgdHx9y2HeF2W4xTwyVJbyjE3KE0qWPoIlZNC4uVbUpsLcuunkrZVofOG8I5gDKZkdIFcepcnljULcLPlRjkdri5dFwSxjUijZ7nlg6gzU7Wlt4dowprviMsUqGkQPrAWuKV7mYqQLPT6EjSA1ddl93VOWVAxHcaPeGSVG9+fxxPYA6vfeu1z7+c1H8jQ6/JSLK/zM9amV6gDiQb2IbBM69shrYOiCHZBfBPfyvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nGHXt7hZzDvaFMVfucOwn+IzZgING6PLC4LGLrxP2wA=; b=gSgNvr2ZADzidMHZqqCsGF12huozMCxlF/FnOIyWysdGcj3wilpVeujlfawoU+KiHcXIs7JZmT7oYWjgAHpqzXIsAke2urgw0+Vrb2X9nUixPMLf+AqGcXpxad4GLQTjiwHRgy1enivsYD23cicIEVVpz/Lr6z4eExQ/jlcxB8ciGGMu4fiXBqu6GMk7aJon/Wcst8QOAI0s6HmZ8n5CTd6pRbzs724373E6NMaRBraR4OZT94HSNhdd+pyF2JH/3bY0tMAQaFDnJJ+f1lKZIZ3jQhGs/vDlGfatCZsRR4u/Pj0l9HGXUwb/obe0YM4xQg2w3TBYqw2zPowc58fXEA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nGHXt7hZzDvaFMVfucOwn+IzZgING6PLC4LGLrxP2wA=; b=fiPTn6gudIxzd0IYHAzTG6Cdw0cTb2Vnkj4sn8N0AxUiFOSI3CPLjQXuLEa1bvx+VLfLCxAGlRIFz+HTJRuENWK1JBQwmZm8to1C1Te+h9sJIaA01B7d+Mt65QQYGcDMFwGd7WzvBTlP68y+fhj7fOCK5I9M+DPDfWSBwe4Tw2c=
Received: from SN6PR13MB2334.namprd13.prod.outlook.com (2603:10b6:805:55::16) by SN6PR13MB2335.namprd13.prod.outlook.com (2603:10b6:805:5d::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3283.10; Mon, 10 Aug 2020 22:36:28 +0000
Received: from SN6PR13MB2334.namprd13.prod.outlook.com ([fe80::44e5:1f97:c5a9:4346]) by SN6PR13MB2334.namprd13.prod.outlook.com ([fe80::44e5:1f97:c5a9:4346%3]) with mapi id 15.20.3283.014; Mon, 10 Aug 2020 22:36:28 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: "Ali Sajassi (sajassi)" <sajassi@cisco.com>, "bess@ietf.org" <bess@ietf.org>, "idr@ietf.org" <idr@ietf.org>, "'shares@ndzh.com'" <shares@ndzh.com>
Thread-Topic: SECURE-EVPN's IPsec SA Inheritance can be improved by the mechanism described by draft-dunbar-idr-sdwan-edge-discovery. Would you consider?
Thread-Index: AdZvZq3MEjPXGCacSua7T00mVl6J8A==
Date: Mon, 10 Aug 2020 22:36:28 +0000
Message-ID: <SN6PR13MB233403BDCE3517D7F60F160E85440@SN6PR13MB2334.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=futurewei.com;
x-originating-ip: [72.180.73.64]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fbefe3ae-6a09-4a3b-9b49-08d83d7dd2b5
x-ms-traffictypediagnostic: SN6PR13MB2335:
x-microsoft-antispam-prvs: <SN6PR13MB233574FE3A3FA00A70FE4EB685440@SN6PR13MB2335.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR13MB2334.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(346002)(39840400004)(136003)(396003)(376002)(2906002)(86362001)(186003)(83380400001)(52536014)(26005)(4743002)(5660300002)(66446008)(8936002)(6506007)(99936003)(66576008)(66476007)(53546011)(66946007)(64756008)(66556008)(166002)(7696005)(33656002)(316002)(478600001)(76116006)(8676002)(55016002)(9686003)(110136005)(44832011)(966005)(71200400001)(218113003)(491001); DIR:OUT; SFP:1102;
x-ms-exchange-transport-forked: True
Content-Type: multipart/related; boundary="_005_SN6PR13MB233403BDCE3517D7F60F160E85440SN6PR13MB2334namp_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN6PR13MB2334.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fbefe3ae-6a09-4a3b-9b49-08d83d7dd2b5
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Aug 2020 22:36:28.6139 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: U3z9RyUtNPsNEx+1SM2fhOHUhYizI+N13YrVVCr/1l2BjfMW5QqD13FSPcHbI3lwI+C3RyY/Rs7aD1tokoBK3Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR13MB2335
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/5QtizlcjSVKoFB0oPd3l-v8gsy8>
Subject: [Idr] SECURE-EVPN's IPsec SA Inheritance can be improved by the mechanism described by draft-dunbar-idr-sdwan-edge-discovery. Would you consider?
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2020 22:36:36 -0000

Ali,  et al:

Your draft-sajassi-bess-secure-evpn-03 (the Section 4.1 Inheritance of Security Policies)  has very stringent mapping  for the SA Inheritance  or “Recursive resolution” :
“In the event, there are no security TLVs associated with an EVPN route, there is a strict order in the manner security associations are inherited for such a route.  … If such [IPsec ] TLVs are missing with the associated route, then one checks to see if the subnets the IPs
are associated with has security TLVs with the EVPN IMET route. If they are present, those associations are used in securing the
traffic. In the absence of them, the peer security associations are used.”

Here are some issues with this stringent mapping:


  *   There could be multiple IPsec Security Associations between two Peers, as shown in the figure below, where the Purple SA terminate at the peer nodes, the  Blue & Red SAs terminate at the  WAN ports, and there could be more SAs that are terminated at the client specific routes.  A user might have the policy to allow its Client route 10.1.1.x to be carried by either MPLS Path or the RED  IPsec SA.


[cid:image003.png@01D66F3C.C5D28F40]



https://datatracker.ietf.org/doc/draft-dunbar-idr-sdwan-edge-discovery/ [BGP-Edge-Discovery] proposes client routes UPDATEs only include the IPsec SA identifiers (ID) to reference the IPsec SA attributes being advertised by separate Underlay Property BGP UPDATE messages.



By referencing IPsec SA ID, instead of the detailed IPsec attributes Sub-TLVs, not only it makes the client routes UPDATE more compact (just an additional  4 bytes ID field), it also enables more flexible SA Inheritance, allowing client routes to be inherited by specific IPsec SA IDs. If a client route can be carried  by more than one IPsec SAs or mixed IPsec & MPLS path, simply include multiple IPSec IDs, as shown in the following figure:





[cid:image004.png@01D66F3C.C5D28F40]





The [BGP-Edge-Discovery] differs from your [SECURE-EVPN] in how the information is included in the client routes. Your [Secure-EVPN] attaches all the IPsec SA information to the actual client routes, whereas the [BGP-Edge-Discovery] only includes the IPsec SA IDs for the client routes.

The IPsec SA IDs used by [BGP-Edge-Discovery] is pointing to the IPsec SA Information which are advertised separately.



[BGP-Edge-DISCOVERY] proposes underlay tunnel topology information and IPsec SA attributes are  advertised  in a separate BGP UPDATE with  NLRI having an SAFI=74 (SDWAN SAFI) and a Tunnel Encapsulation attribute with tunnel type being SDWAN-Underlay.



We think that reference IPsec SA ID is more efficient for SECURE-EVPN. Sincerely hope you consider our proposed approach.



Thank you

Linda Dunbar


From: Ali Sajassi (sajassi) <sajassi@cisco.com>
Sent: Monday, July 27, 2020 10:17 PM
To: Susan Hares <shares@ndzh.com>om>; 'Hu, Jun (Nokia - US/Mountain View)' <jun.hu@nokia.com>om>; draft-sajassi-bess-secure-evpn@ietf.org; draft-dunbar-idr-sdwan-edge-discovery@ietf.org
Cc: idr-chairs@ietf.org; bess-chairs@ietf.org; 'Alvaro Retana' <aretana.ietf@gmail.com>om>; martin.vigoureux@nokia.com; Ayan Banerjee (ayabaner) <ayabaner@cisco.com>
Subject: Re: Drafts related to IPSec Tunnels - My follow upon IETF 105 - is an Analysis draft

Hi Sue,

We are planning in progressing secure-evpn draft.

Regarding scale issues, there is an assumption in your draft that is not accurate and we discussed it in idr & rtgwg mailing lists June of last year. More specifically the assumption of sending tunnel attribute with client routes. Unless you need to setup a separate IPsec tunnel per client route, you SHOULD NOT send the tunnel attribute with the client routes. Instead, one of the inheritance schemes should be used for client routes. As I discussed in the idr/rtgwg mailing list in June/2019, there are three ways to do such inheritance and they are:

  1.  Recursive resolution
  2.  Coloring
  3.  Hierarchical

The first two are described in tunnel-encap and the last one is described in secure-evpn. If it helps, I can add a section to secure-evpn to describe all three of them in one place.

Regards,
Ali

From: Susan Hares <shares@ndzh.com<mailto:shares@ndzh.com>>
Date: Tuesday, July 14, 2020 at 5:40 PM
To: "'Hu, Jun (Nokia - US/Mountain View)'" <jun.hu@nokia.com<mailto:jun.hu@nokia.com>>, "draft-sajassi-bess-secure-evpn@ietf.org<mailto:draft-sajassi-bess-secure-evpn@ietf.org>" <draft-sajassi-bess-secure-evpn@ietf.org<mailto:draft-sajassi-bess-secure-evpn@ietf.org>>, "draft-dunbar-idr-sdwan-edge-discovery@ietf.org<mailto:draft-dunbar-idr-sdwan-edge-discovery@ietf.org>" <draft-dunbar-idr-sdwan-edge-discovery@ietf.org<mailto:draft-dunbar-idr-sdwan-edge-discovery@ietf.org>>
Cc: "idr-chairs@ietf.org<mailto:idr-chairs@ietf.org>" <idr-chairs@ietf.org<mailto:idr-chairs@ietf.org>>, "bess-chairs@ietf.org<mailto:bess-chairs@ietf.org>" <bess-chairs@ietf.org<mailto:bess-chairs@ietf.org>>, 'Alvaro Retana' <aretana.ietf@gmail.com<mailto:aretana.ietf@gmail.com>>, "martin.vigoureux@nokia.com<mailto:martin.vigoureux@nokia.com>" <martin.vigoureux@nokia.com<mailto:martin.vigoureux@nokia.com>>
Subject: Drafts related to IPSec Tunnels - My follow upon IETF 105 - is an Analysis draft
Resent-From: <alias-bounces@ietf.org<mailto:alias-bounces@ietf.org>>
Resent-To: Cisco Employee <sajassi@cisco.com<mailto:sajassi@cisco.com>>, <ayabaner@cisco.com<mailto:ayabaner@cisco.com>>, <sthoria@cisco.com<mailto:sthoria@cisco.com>>, <carrel@cisco.com<mailto:carrel@cisco.com>>, <bew.stds@gmail.com<mailto:bew.stds@gmail.com>>, <jdrake@juniper.net<mailto:jdrake@juniper.net>>
Resent-Date: Tuesday, July 14, 2020 at 5:40 PM

Greetings:

I’m looking to pick up on our work from IETF 105
on drafts that suggest new Sub-TLVs for the
BGP tunnel encapsulation attribute.

If you are interested in continuing your work and getting approval
for your Sub-TLVs to be added to the list of approved Sub-TLVs
for the BGP tunnel encapsulation attribute,
please let me know.

The BGP tunnel encapsulation draft is now at -16.txt
after receiving Alvaro’s AD review.   We’re about to go
through a final round of  discussion on the IDR list, and I’d like to
make sure your proposed new Sub-TLVs fit with
draft-ietf-idr-tunnel-encaps-16.

If you do not wish to continue your work,
I want to thank you again for your hard work at IETF 105.
I felt each of the proposed solutions brought new valuable
concepts to passing tunnels in formation for IPsec in
BGP.

Cheerily, Sue


Details on the help I need
================================
After reviewing all the drafts at IETF 105 and seeing subsequent
changes to drafts to address security issues, I have
the impression that each draft had a targeted use case
and a particular profile for security, privacy, being managed in a network,
and scaling.   I’ve written up my impressions in
an analysis draft using use cases, and I’ve uploaded a part
of this draft for public viewing.

Before I upload the remainder of the analysis,  I would like
to chat with each author group and/or all authors together.
I want to make sure my analysis is correct.

The remaining part of the analysis looks at BGP Update scaling
for UPDATE sizes for two scenarios.
Scenario 1 is a small RR cluster (5 client routers)).
Scenario 2 is a huge RR cluster (10K client routers).

As far as I can tell, all 3 proposals can handle the
small RR cluster scenario.

The huge RR cluster scenario look far into the future to 5G/6G world
that might use this technology.   With 64K BGP messages
and 10G links for RR clusters, the huge RR cluster
is “doable” today on massive machines that do not forward traffic.

If being a co-author helps you work on this analysis draft,
please let me know.